Your store’s uploads directory is browsable via the web.

Resolved yasar21
(@yasar21)

6 months, 3 weeks ago

Hi,

I just installed and activated WooCommerce in my 2 different website and It gives the error on my both sites “Your store’s uploads directory is browsable via the web. We strongly recommend configuring your web server to prevent directory indexing.”

I followed all the steps given in the link https://woocommerce.com/document/digital-downloadable-product-handling/#protecting-your-uploads-directory.

Also there is another link “browsable via the web” when click on that it gives me 404 error.

When i disabled the WooCommerce plugin the error was gone. When re enabled the error shows.

Here is the error screenshot

please help me with the necessary solution.

Viewing 11 replies - 1 through 11 (of 11 total)

Plugin Support LovingBro (woo-hc)
(@lovingbro)

6 months, 3 weeks ago
Hi @yasar21,

I understand how concerning it feels to see that security notice showing up on both of your sites after enabling WooCommerce, even though you’ve already followed the recommended steps. It’s important that your uploads directory isn’t exposed publicly, so I’ll help you narrow this down.

From your message, you mentioned that clicking on the “browsable via the web” link leads to a 404 error. However, WooCommerce normally expects to see a 403 Forbidden response (meaning access is denied). Could you please confirm which one you’re seeing by sharing a screenshot of that error page? I visited your site’s uploads path (https://bycoppoletta.com/wp-content/uploads/woocommerce_uploads/) and got a GoDaddy “coming soon” page instead, so your server may already be handling things differently.

Also, when you followed the steps here: https://woocommerce.com/document/digital-downloadable-product-handling/#protecting-your-uploads-directory — did the WooCommerce notice disappear, or does it still show even after adding the .htaccess rules (or server config)? That will help confirm whether WooCommerce is detecting your changes.

Possible solutions you can try in the meantime:
- Check .htaccess or server rules: If your site is running Apache, make sure the .htaccess file inside /wp-content/uploads/woocommerce_uploads/ contains the deny rules from the documentation.
- For Nginx servers: Add an equivalent location block in your Nginx configuration to deny direct access.
- Verify caching: Sometimes hosting/server caching can still show the directory as accessible. Clear server cache (GoDaddy provides this) and test again.
- Confirm permissions: The uploads/woocommerce_uploads directory should not allow directory listing if rules are in place.
Once we confirm whether you’re seeing a 404 or a 403, we can fine-tune the fix.

Would you be able to share that screenshot of the error page so I can guide you with the exact next step?
Thread Starter yasar21
(@yasar21)

6 months, 3 weeks ago
Hi @lovingbro , Thanks for the reply

The URL (https://bycoppoletta.com/wp-content/uploads/woocommerce_uploads/) in not accessible as website is not live for users its under development so it shows coming soon.

Here is the screenshot of the requested URL, after visiting its 404 error.

Also, when you followed the steps here: https://woocommerce.com/document/digital-downloadable-product-handling/#protecting-your-uploads-directory — did the WooCommerce notice disappear, or does it still show even after adding the .htaccess rules (or server config)? That will help confirm whether WooCommerce is detecting your changes.
After following the results are same, error is still there. Also i have cleared the server cache from my hosting provider as well.
- This reply was modified 6 months, 3 weeks ago by yasar21.
Plugin Support Frank Remmy (woo-hc)
(@frankremmy)

6 months, 3 weeks ago
Hi @yasar21,

Thanks for the update and screenshot! I can see you’re getting a 404 error when accessing the woocommerce_uploads directory, which is actually good. It means the directory isn’t browsable. However, WooCommerce is still showing the warning, which suggests there might be a detection issue.

Here are a few things to check:
- Navigate to /wp-content/uploads/woocommerce_uploads/ in your file manager, look for a .htaccess file (you may need to enable “show hidden files”). It should contain:
```
deny from all
```
- If you’re using Nginx instead of Apache, you can do that following this documentation.
- Go to WooCommerce → Settings → Products → Downloadable products and make sure the “Append a unique string to filename” option is enabled. This helps confirm WooCommerce is managing the directory correctly.
- Since you’re on GoDaddy hosting, they might have specific server configurations that interfere with WooCommerce’s directory detection. The 404 error you’re seeing suggests the protection is working, but WooCommerce might not be detecting it properly.
- Temporarily create a test file (like test.txt) in the woocommerce_uploads directory and try to access it directly via browser. If you get a 403 Forbidden error, the protection is working correctly.
I hope that helps. Let us know if you need anything else.
Thread Starter yasar21
(@yasar21)

6 months, 3 weeks ago

hi @frankremmy thanks for reply

Navigate to /wp-content/uploads/woocommerce_uploads/ in your file manager, look for a .htaccess file (you may need to enable “show hidden files”). It should contain:

Yes the directory contains .htaccess and has deny from all .

Also i tried adding test.txt file and checked the directory woocommerce_uploads getting 404 error.

But the warning is still there.

On same hosting plan i have 3 WordPress website. The older installation has no issues but i created 2 new this week and having same warning on both.
Plugin Support shahzeen(woo-hc)
(@shahzeenfarooq)

6 months, 3 weeks ago
Hi there!

Thank you for providing more information about the issue. Since you mentioned that both of your sites are showing the same issue, could you please confirm if you are using the same plugins on both sites? Have you tried deactivating all plugins except WooCommerce to see if you still face the same issue?

In the meantime, could you please try creating a staging site using the following plugin: WP Staging.
Once created, deactivate all plugins except WooCommerce, activate the default Storefront theme, and check if the issue still occurs.

If you are still facing the same issue, I’d like to understand your site properly. Please share with us the necessary information below for us to investigate the issue further:
- System Status Report which you can find via WooCommerce > Status
- Fatal error logs (if any) under WooCommerce > Status > Logs.
Please use https://pastebin.com/ or https://gist.github.com/ and share a link to that paste in reply here. Once we have more information, we’ll be able to assist you further.
Thread Starter yasar21
(@yasar21)

6 months, 3 weeks ago
hi @shahzeenfarooq Thanks for reply

I already tried the troubleshooting of disabling all the plugins and found the error is generating through WooCommerce plugin. When disabled WooCommerce plugin there is no error.

Here is System Status Report please check and there is no fatal error.

Also i tried in Staging Site Same error here is the screenshot .
- This reply was modified 6 months, 3 weeks ago by yasar21.
Moses M. (woo-hc)
(@mosesmedh)

6 months, 3 weeks ago
Hi @yasar21,

Thank you for getting back to me and for sharing the screenshot along with your system status report. The error you’re seeing happens because your server allows directory browsing in the uploads folder, which can expose sensitive files (like digital downloads) to unauthorized access.

To fix this, please go to /wp-content/uploads/, create or edit the .htaccess file, and make sure it contains the following code:
```
# Disable directory browsing
Options -Indexes

# Prevent access to PHP files
<Files "*.php">
Order Allow,Deny
Deny from all
</Files>

# Block access to sensitive file types
<FilesMatch "\.(htaccess|htpasswd|ini|log|sh|inc|bak)$">
Order Allow,Deny
Deny from all
</FilesMatch>
```
Next, navigate to /wp-content/uploads/woocommerce_uploads/, create or edit the .htaccess file there, and add the code below (or confirm it already exists):
```
# Deny all direct access
Order deny,allow
Deny from all

# Block directory browsing
Options -Indexes
```
As an additional step, create an index.php file in both /wp-content/uploads/ and /wp-content/uploads/woocommerce_uploads/ and add the following code:
```
<?php
// Silence is golden.
```
Once done, clear your website cache. Then go to WooCommerce > Status > Tools and clear both transients. If the problem still persists, please reach out to your hosting provider to set rules that block directory browsing at the server level. Since your site is running on Nginx, the rules will differ from Apache configurations usually managed through cPanel.

I’ll be looking forward to your feedback.
Thread Starter yasar21
(@yasar21)

6 months, 3 weeks ago
hi @mosesmedh Thanks for the reply

As per your feedback, I have contacted my hosting Support they have asked me to wait for 24 hrs. Once issues is resolved will update here.
- This reply was modified 6 months, 3 weeks ago by yasar21.
Plugin Support shahzeen(woo-hc)
(@shahzeenfarooq)

6 months, 3 weeks ago

Hi there!

Thank you for the update. Once your host resolves the issue. Please share if the issue was fixed by the changes suggested by my colleague, or if your hosting provider offered another solution. This will also help others who may face a similar issue.

Thread Starter yasar21
(@yasar21)

6 months, 3 weeks ago

Hi everyone,

Thanks to all @shahzeenfarooq @mosesmedh @frankremmy @lovingbro for your help and feedback.

All the above fix were for Apache Server and mine was Nginx so it was totally in control of my hosting provider. And they are saying it all good on there side. It may be a false positive for WooCommerce plugin so it is giving warning. Directory in not accessible as it gives 404 error.

Now i don’t know whether my issue is been solved or not they just told me to dismiss it.

So for now i am marking it Solved if needed any further help will open this again.

Thanks for all your efforts and time really appreciate god bless you all.

Plugin Support shahzeen(woo-hc)
(@shahzeenfarooq)

6 months, 3 weeks ago

Hi there!

Thank you for the update, and I’m glad to hear your hosting provider confirmed everything is fine on their end. Since the directory isn’t actually accessible (404 error), it does sound like this may be a false positive warning.

We appreciate you taking the time to share the details and marking the thread as solved—it will surely help others who may run into the same situation.

If WooCommerce has been useful for your store and you’re happy with the support received, we’d truly appreciate it if you could leave us a quick 5-star review here: https://wordpress.org/support/plugin/woocommerce/reviews/#new-post

Feel free to open a new forum topic if you run into any other problem.

Viewing 11 replies - 1 through 11 (of 11 total)

The topic ‘Your store’s uploads directory is browsable via the web.’ is closed to new replies.